Webmaster General Forum

Ok. I'm going to be developing a website which required registration and sells things. All the sales items can be viewed without logging in but you'll need to be logged in to purchase. Purchases will be by PayPal and Credit Card. So I know I'm going to need an SSL certificate, which I've acquired.

I'm unsure on how I should implement the SSL. If I've understood the way things work correctly, I just need to link to my regular pages prefixed with "https://" instead of "http://". Correct? But what pages to secure? All logged in pages or just the securing the registration, login, member updates, checkout pages?

I'm an SSL noob so any advice is welcome. Even if i haven't asked the questions yet :)

I see some sites put everything on a sub-domain liked secure.example.com. Is this a good idea?

Is displaying the secure seal a good idea? How do you implement that when some pages are secured and some aren't? How to get the seal to show only on the secured pages? ie http:// and https:// display the same physical page? does it matter if the seal is shown on an unsecured page?

If I've understood the way things work correctly, I just need to link to my regular pages prefixed with "https://" instead of "http://". Correct?

Yes - but it's *just* as important to link to non secure pages from the secure area. SSL pages are encrypted. This means before sending the data the browser uses the public key to encrypt the data before sending, and the server does the same thing in responding. So SSL pages are notoriously slow. In your template for the secure area, be sure to link back to [any_page...]

But what pages to secure? All logged in pages or just the securing the registration, login, member updates, checkout pages?

Any page that would potentially reveal sensitive information. One misunderstanding people seem to have is that you only need to submit to a secure URL, leaving their payment forms on non-SSL. This couldn't be more false. See above,

the browser uses the public key to encrypt the data before sending

So if you have a form with credit card info to submit, the URL better start with https or you will be sending that data as clear text.

Login areas - follow other models. Link a page to "log in securely," unless every login leads to information that is sensitive in some way. Log in to a bank account, or some area that allows you to view and change personal details? Definitely. Log in to a forum? Nah.

How do you implement that when some pages are secured and some aren't? How to get the seal to show only on the secured pages? ie http:// and https:// display the same physical page?

Well, you should **not** allow anyone to get to a page that needs to be secure via non-secure http. This can be done with a simple redirect using mod_rewrite. Any request for a secure area that does not start with https gets redirected to https. So that takes care of that. :-) More info in the Apache forum.

does it matter if the seal is shown on an unsecured page?

No it does not. It just advertises you've taken the time to secure the transmission of data where it's required.

However, some seals are loaded via Javascript and may only load over https to verify the exact page you are on.